On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <rich...@wosign.com> wrote:
> Yes, we posted all 2015 issued SSL from WoSign trusted root.
>
> On 2 Sep 2016, at 22:55, Peter Bowen <pzbo...@gmail.com> wrote:
>> Based on CT logs, I have seen certificates from the CAs below, all of
>> which have "WoSign" in the name.  Have you logged all certificates
>> which are signed by these CAs and have a notBefore date of
>> 20150101000000Z or later to the WoSign CT log?

Richard,

It seems then there is a newly exposed bug.
https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad
shows a certificate issued by your CA that has a notBefore in March
2015.  It does not appear in the CT log.  However another certificate
with identical serial number and subject, but different Validity, does
appear in the log.

Are you aware of a bug where you were issuing certificates identical
except for validity period?

Thanks,
Peter
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to